[Dovecot] passwd-file maintenance by users, other options
I am using Dovecot to provide IMAP and IMAP+SSL service for my users, but am still using QPopper for POP3 service, wrapped with stunnel for POP3+SSL.
I am hesitant to get rid of QPopper because it supports APOP, which encrypts authentication data (both where it is stored, and when it is transmitted), and because APOP passwords can be managed by the users themselves, via the popauth tool that they can run from their shell accounts.
I'd like very much to use Dovecot for POP3, but would need to have it be comparable to APOP, where authentication does not involve having user passwords going across the wire in the clear, and especially I need for users to be able to maintain their passwords themselves, preferably with their status as a current user of the system being established without my intervention; I don't want to have to manually keep things in sync with /etc/passwd. Furthermore, it needs to have no conflicts with popular email clients including Mozilla, Outlook, Outlook Express, and Eudora, so unusual authentication mechanisms are not really an option.
I've RTFM at http://www.dovecot.org/doc/auth.txt but I don't know how to establish a separate passwd file that would satisfy the requirement that users be able to maintain their passwords themselves. And PAM is a complete mystery to me.
So what do you all do? Is there a tutorial somewhere that would help?
Thanks,
M.
Hi Mike,
On Apr 3, 2004, at 1:31 AM, Mike Brown wrote:
I've RTFM at http://www.dovecot.org/doc/auth.txt but I don't know how to establish a separate passwd file that would satisfy the requirement that users be able to maintain their passwords themselves. And PAM is a complete mystery to me.
Why don't you move to a database instead of having a password file? If you use a database, you could easily write a php-web-interface for your users where they can update or change their passwords. The only thing you won't solve is the APOP issue, but since you already support IMAP as well, why no allow pop3 too? Almost all clients support ssl connections to both pop3 and imap, so why bother with the password being sent plain-text over the wire?
So what do you all do? Is there a tutorial somewhere that would help?
We use dovecot with postgresql as a database backend, we have no tutorial, but in the wiki of dovecot there was a tutorial on how to get both dovecot and postfix to read a postgresql database:
http://wiki.dovecot.org/moin.cgi/DovecotPostgresql
The virtual user stuff in postfix is something you might not need, but it does describe the setup of dovecot for postgresql.
Thanks,
M.
Kind regards,
Maikel Verheijen.
Maikel Verheijen wrote:
Why don't you move to a database instead of having a password file? If you use a database, you could easily write a php-web-interface for your users where they can update or change their passwords.
I have a real problem suggesting using databases for something as simple as a password file. kind of like using a bulldozer to park your car. cam be done but usually causes a boatload of damage and a great deal of regret.
a simple dbm file is sufficent for this task. gdbm seems to be reasonable instance.
The only thing you won't solve is the APOP issue, but since you already support IMAP as well, why no allow pop3 too? Almost all clients support ssl connections to both pop3 and imap, so why bother with the password being sent plain-text over the wire?
very good sugestion. a great tool for generating and managing certs in the small is tinyca. http://tinyca.sm-zone.net/
--- eric
participants (3)
-
Eric S. Johansson
-
Maikel Verheijen
-
Mike Brown